Ticket #9901 (closed defect: fixed)

Opened 1 year ago

Last modified 1 year ago

Billing page is visible to anonymous users

Reported by: lguillaume@idatainc.com Assigned to: bobbysmith007
Priority: highest Component: TimingAndEstimationPlugin
Severity: critical Keywords:
Cc: Trac Release: 0.11

Description

The "Billing" page can be accessed by an anonymous user. I noticed this when logging in as a mostly unprivileged user that had REPORT_VIEW. I was able to access the Billing page, which didn't seem right. While still on that page I logged out and the page remained!

Tested using the "regular" branch (0.11) and the permission-enabled one.

To reproduce:

  • access a trac instance with timingandestimationplugin installed without logging in (or log out)
  • go to the /Billing url
  • Make some changes.
  • see feedback that tickets are updated.

I have not checked that tickets are actually touched. But the anonymous user should not have access to the Billing Page by default!

Attachments

Change History

03/14/12 18:29:57 changed by bobbysmith007

  • priority changed from normal to highest.
  • severity changed from normal to critical.

Wow, thats not correct (I was able to reproduce this locally as well). Its not actually a dire situation because the only thing that screen shows that could be even remotely problematic is the bill dates). The Billing screen really just fills in parameters for various reports (so the permissions set on the reports is what is actually important).

I will go ahead an publish a fix asap though.

Thanks very much for pointing this out!

03/14/12 18:31:31 changed by bobbysmith007

Also, I wonder how long this has been the case. I certainly though6 that the page was requiring SOME permissions to visit.

03/14/12 20:01:11 changed by bobbysmith007

(In [11383]) T&E Bug fixes

  • remove python version requirements
  • fix date parsing (again)
  • fix db_table_exists (again)

re #9612 and #9793 and #9844 and #9901

03/14/12 20:03:13 changed by bobbysmith007

(In [11384]) T&E Bug fixes (version 1.2.7)

  • Enforce customizable permission on the billing/management page
  • remove python version requirements
  • fix date parsing (again)
  • fix db_table_exists (again)

re #9612 and #9793 and #9844 and #9901

03/14/12 20:04:47 changed by bobbysmith007

(In [11385]) T&E Bug fixes (version 1.2.7 - prev version 0.9.8)

  • Enforce customizable permission on the billing/management page

re #9901

03/14/12 20:28:11 changed by bobbysmith007

  • status changed from new to closed.
  • resolution set to fixed.

I think this should be fixed. As a note it was only the permissionless version of the plugin that was failing to correctly require authorization.

Also note that while it defaults to REPORT_VIEW permissions, you can set this in the trac.ini as follows 

[timingandestimation]
#change what permission is required to view the billing/management screen
# default is REPORT_VIEW
billing_permission=TRAC_ADMIN

Please let me know if any part of this doesnt work, Cheers, Russ

Add/Change #9901 (Billing page is visible to anonymous users)




Change Properties
Action